Encrypt Sensitive Configuration Data with Java

When hackers break into your network, make sure they can't find out your secrets. It's a little more work to encrypt sensitive data, but the Java Cryptography Extension (JCE) makes it straightforward.

by Javid Jamae

Jun 17, 2004

Page 1 of 3

hen application developers are developing, parameters are often hard-coded in the source code. These hard-coded parameters are often pulled out of the source code and put into property files or configuration files. System and network security policies may force a developer to address security concerns over the data that is stored in external files. So, how do you make sure that your sensitive external parameters are safe?

One way to solve this problem is to encrypt the data before it is written to the external file, then read and decrypt the data before using it in your application. The Java Cryptography Extension (JCE) provides an API that will let you do this.

Symmetric or "single key" encryption is a good choice for solving this type of problem. Single key encryption uses the same key to encrypt and decrypt data. DES and DESede are two single key encryption schemes. I will show you how to solve this problem using either of these encryption schemes with the JCE.

Author's Note (added 7/19/04): Since writing this article I have received numerous e-mails asking how one would prevent somebody from decompiling the Encrypter class and taking the key. Several suggestions have been given to me. One is to obfuscate the class using an obfuscation utility. This may ward off the innocent/slightly curious hacker, but using clever debugging techniques, a motivated yet sinister cracker can still obtain the key. Another suggestion is to pull the encryption key out of the class and use file-system permissions to prevent access to the file. As I'm told, this is the same strategy that Unix OSs use for shadowed passwords.

You need some way to secure the parameters used by your source code when they are stored in external property or configuration files.

Encrypt the data before it goes in; decrypt it before your application uses it.